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[57] ABSTRACT 

A software -based computer security enhancing process and 
graphical software-authenticity method, and a method to 
apply aspects of the two are disclosed. The process provides 
protection against certain attacks on executable software by 
persons or other software used on the computer. Software 
using this process is protected against eavesdropping (the 
monitoring of software, applications, the operating system, 
disks, keyboard, or other devices to record (steal) 
identification, authentication or sensitive data such as 
passwords, User-ID's, credit-card numbers and expiry dates, 
bank account and PIN numbers, smart-card data, biometric 
information (for example: the data comprising a retina or 
fingerprint scan), or encryption keys), local and remote 
tampering (altering software to remove, disable, or compro- 
mise security features of the altered software) examination 
(viewing the executable program, usually with tbe intent of 
devising security attacks upon it), tracing (observing the 
operating of an executable program step-by-step), and 
spoofing (substituting counterfeit software to emulate the 
interface of authentic software in order to subvert security) 
by rogues (eg: Trojan Horses, Hackers, Viruses, Terminate- 
and -stay- resident programs, co-resident software, multi- 
threaded operating system processes, Worms, Spoof 
programs, key-press password capturers, macro recorders, 
sniffers, and other software or subversions). Aspects include 
executable encryption, obfuscation, anti-tracing, anti-tamper 
& self -verification, runtime self-monitoring, and audiovisual 
authentication (math, encryption, and graphics based 
method permitting users to immediately recognise the 
authenticity and integrity of software). FIG. 5 in the speci- 
fication depicts the many components and their interaction. 

21 Claims, 6 Drawing Sheets 
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COMPUTER SOFTWARE 
AUTHENTICATION, PROTECTION, AND 
SECURITY SYSTEM 

This is a continuation of application Scr. No. 08/679,077, 
filed Jul. 12, 1996. 

BACKGROUND OF THE INVENTION 

The present invention relates to a computer program 
having enhanced security features, and also to a system and 
method for enhancing the security features of a computer 
program. In particular, the present invention relates to such 
a program, and the system and method for creating the 
program, having increased security features to prevent ID 
data (as defined) eavesdropping and/or theft and/or ensure 
authenticity. 

Description of the Prior Art 

Computers are becoming widely interconnected and 
heavily relied upon to process and store sensitive informa- 
tion. The risk of unauthorised access to computers and 
information has increased with this increased interconnec- 
tivity. 

Many security advances exist in the areas of identification 
& authentication of users, cryptography, virus prevention, 
and the like, however — almost all of these advances ulti- 
mately rely upon computer software. Most computer sys- 
tems are, or are accessed by, small personal computers, and 
most software used on these personal computers is suscep- 
tible to "local attacks" — attacks which are mounted from 
inside said personal computers against said software by 
other software or people. 

Passwords, User-ID's, credit-card numbers and expiry 
dates, bank account and PIN numbers, smart-card data, 
biometric information (for example: the data comprising a 
retina or fingerprint scan), cryptographic keys, and the like, 
are all examples of identification, authentication or similar 
data which is either sensitive in itself, or may allow access 
to sensitive, restricted or other information or services. 
Hereafter, the term I D-D ate will be used to refer to the 
abovementioned identification, authentication or similar 
data, excluding ID-Data which is valid only for a single use, 
or which is designed to expire at regular intervals of short 
periods of time, say less than two minutes. 

Illegal access to computer system information can be 
obtained by exploiting various security flaws found in 
computer software products. A common flaw is the suscep- 
tibility of said software to the theft of ID-Data either directly 
from said software as it executes, or, from the operating 
system or hardware on which said software is executing. 
Another common flaw is the susceptibility of said software 
to (illegal) modification. Such modifications may remove, 
disable, or compromise the security features of said soft- 
ware. 

Viruses, Terminate-and stay-resident programs (TSRs), 
co-resident software, multi-threaded operating system 
processes, Trojan Horses, Worms, Hackers, Spoof programs, 
keypress password capturers, macro-recorders, sniffers, and 
the like can be effective at stealing ID-Data and are 
examples of (a) rogue software, (b) people capable of 
subverting security software, or, (c) software which can be 
configured for illegimate purposes. Hereafter, the term rogue 
software will be used to refer to software or subversions 
such as the above mentioned (a) (b) and (c), used for the 
purpose of stealing ID-Data. The definition of our term 
"rogue software" when used herein also includes software or 
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other means used to tamper with other software. The term 
tampering is defined hereafter. 

There are many ways to introduce rogue software into a 
computer system. Viruses spread automatically by introduc- 

5 ing themselves. Trojan-Horses are usually introduced by 
tricking users into allowing them to execute (such as by 
masquerading as a new or well-known computer game or 
other product). Existing security problems may be utilised to 
introduce rogue software, some well known problems 

10 include lava bugs, errors, or oversights, ineffective physical 
security (for example: permitting rogue software to be 
introduced directly on floppy disk by an intruder); electronic 
mail attachments which automatically execute or execute 
after a simple mouse-click, incorrect security settings on 
internet, world-wide-web, TCP/IP or modems, and tamper- 

15 ing (see definition hereafter) with legitimate software 
in -transit as it flows from remote internet sites into a users 
computer, to name a few. 

Rogue software, once introduced, can steal ID-Data as 

2Q mentioned hereinbefore. It may monitor keyboard (for 
example: by recording every key, as the user presses each 
one, in order to steal a password as it is being typed in), 
serial-port, mouse, screen, or other devices to steal ID-Data 
directly from them. It may monitor other software, 

25 applications, the operating system, or disks to steal ID-Data 
from there also. Once stolen, this ID-Data may be stored 
locally (for example: in memory or on-disk) or transmitted 
to remote locations (for example: by modem or network) or 
used immediately to perform illegal operations. Hereafter, 

3Q the term eavesdropping will be used to refer to the moni- 
toring of a computer to record ID-Data. 

For example, a key press recorder could secretly, and 
unbeknown to the computer user, record all the keys pressed 
by the user into a hidden systems file. The information 

35 recorded could include a user's password and other sensitive 
information which an organisation would obviously wish to 
protect. 

Additionally, rogue software may remove, disable, or 
compromise existing computer software security features by 

40 modifying the memory, disk or other image of said computer 
software. Rogue software may also utilise tampering tech- 
niques to alter existing computer software in order to steal 
ID-Data from it, or may attach itself to existing computer 
software (as is the case with many computer viruses). 

45 Hereafter, the term tampering will be used to refer to the 
abovementioned modification of computer software. Tam- 
pering may take place either locally (within a users PC) or 
remotely (for example: at one of the points which a com- 
puter program passes through as it is being download). 

50 Further, counterfeit software can be substituted for legiti- 
mate software. The counterfeit will appear real to a com- 
puter user, but actually acts to subvert security, such as by 
stealing ID-Data. Sometimes called "Spoof" programs or 
Trojan Horses, counterfeit software of this type may invoke 

55 the original legitimate software after having stolen ID-Data, 
so as not to arouse a user's suspicion. 

Another potential security flaw found in computer soft- 
ware products is susceptibility to examination and reverse - 
engineering. Known (but generally secret) and other security 

60 problems or mistakes can be discovered by hackers and the 
like from the examination of existing computer software and 
by tracing its operation. 

Additionally, Computer software piracy is a growing 
problem, and the existing simple means which prevent this 

65 problem (such as registration or serial numbers and 
customer- names being encoded within the product) are 
becoming less effective. 
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There is necessity within the try-before-you-buy software BRIEF DESCRIPTION OF THE DRAWINGS 

market for vendors to employ effective features which allow ^ . * j 

old software to expire without fear of hackers or the like „ ^ P re ?* invent ' on ^11 become more fully understood 

removing said expiry features and for secure registration of from r the . following detailed description of preferred but 

software to be provided through the use of software unlock- 5 "on-bmrtmg embodiments thereof, described m connection 

codes with the accompanying drawings, wherein: 

There is also need for software to be able to prevent FIG - } Urates the standard operation of a computer 

security attacks upon itself (ic: tampering) and upon its own s y stcm known m lhc P nor art; 

attack-detection code. There may also be a future need for FIG - 2 illustrates the known operation of a rogue or 

software to identify the attacker for subsequent prosecution. 10 "spoof program; 

There also exists cases where untamperable software FIG. 3 illustrates application code updated with the pre- 

usage metering may be desirable, and where effective ferred embodiment; 

password-protection of software execution may also be FIG. 4 illustrates the known operation of a rogue eaves- 
desirable, dropping program; 

Known advances in certain areas of computer security FIG. S illustrates the interaction of the components of the 

have been successful and documented. There have been updated application; 

some advances in anti-virus technology which help detect pic. 6 illustrates the general structure of the preferred 

and prevent certain security problems. There have been embodiment of the applicator; 

numerous advances in hardware-assisted computer security 2Q nG ? illustrates a standard layoul for a program t0 be 

add-ons and devices, such as smartcards and biometnc input executed on a com puter system; 

devices. There have been advances in cryptographic tech- ^ Tr _, 0 .„ , J J , e . 

niques. Generally, all of these advances require authentic, ™- 8 the staDdard la y° ut of an EXE header 

un-tampered-with computer software in order to work. under the MS-DOS operating system. 

There have been relatively few advances in software based 2$ FIG. 9 illustrates a standard layout of an EXE program 

integrity self -checking (eg: tamper protection), and no prior under MS-DOS; 

software -based advances in preventing eavesdropping or the FIG. 10 illustrates an altered executable form constructed 

electronic theft of ID-Data, and no prior software -based in accordance with the specific embodiment; 

advances in self-authentication. FIG. 11 illustrates a first stage of execution of the new.exe 

30 executable; 

FIG. 12 illustrates a second stage of execution of the 

This invention seeks to provide computer software having new.exe executable file; and, 

enhanced security features, to a process which substantially FIG. 13 illustrates a third stage of execution of the 

enhances the security of computer software (hereafter new.exe executable file, 
referred to as the improved process) and to a method by 35 

which to apply said improved process (hereafter referred to DETAILED DESCRIPTION OF PREFERRED 

as the applicator). EMBODIMENTS 

Hie improved process consists of including computer Throughout the drawings, like numerals will be used to 

code to automatically detect tampering of said computer identify similar features> except where expressly otherwise 

software, and computer code to prevent the theft of ID -Data * u indicated 

by replacing existing vulnerable (to rogue software eaves- . ... , , , . . - . . , 

/ \ t i \ iv *• . *a *u As will be described hereinafter, the present invention has 

dropping or attack) software or operating system code with . .. .... 4 ' \ 

secure events which utUUe a„ ti -s Py technics (as SttS^SS 

desenbed later in this document). tf Sys , em) MAC|NT0 SH OPERATING SYSTEM, 

Preferably, the improved process also consists of includ- UNIX™ etc 

ing computer code to prevent decompilation reverse- &K security . eohancillg lech . 

engineering, and disassembly by the inclusion of obtuscat- . . , . , „ .. ■'. ? , , N 

. & . . & ' . . J / ... niques to combat eavesdropping. Security is provided by (a) 

ing code inserts, and the use of executable encryption. ^ . f t? j *• \ 

s ' JK hampering examination of software-code operating system 

Preferably, the improved process also consists of includ- so codc or or parts thereof through the use of the encryption or 

ing code to prevent execution-tracing and debugging by the partial cncrypt i on 0 f said codc , ( b ) preventing the disasscm- 

use of code designed to detect and prevent these operations. bly of said code thr ough the inclusion of dummy instructions 

Preferably, the improved process consists of, or also and prefixes and additional code to mislead and hamper 

includes, human-recognisable audio-visual components disassembly (ie: obfuscating inserts), (c) preventing the 

which permit the authenticity of said computer software to 55 computerised tracing of the execution of said code, (for 

be easily verified by the user on each invocation using example; with code debugging tools) through the use of 

techniques described later in this document. instructions to detect, mislead, and hamper tracing, (d) 

The idea which lead to the creation of this invention can preventing tampering of said code through the use of scan- 
be summarised as follows: If a piece of computer software ning to locate alterations, either or both on-disk and in 
that is executing can be shown to be the genuine article, and 60 memory either once at the start of execution, or continuously 
this software can protect itself against eavesdropping, and upon certain events, or (e) preventing ID-Data theft through 
this software can prevent tampering of itself, then is it the inclusion of secure input/output routines (for example: 
possible for this software to function in a secure manner, routines to bypass the standard operating system keyboard 
even within an insecure operating system. This invention calls and use custom -written higher-security routines as a 
permits the creation of such a piece of computer software — 65 replacement) to replace insecure computer-system routines, 
having a tangible, useful security advantage and hence Hereafter, the term anti-spy will be used to refer to any 
improving its value. combination of one or more of the above mentioned tech- 
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niques [(a) through (e) or parts thereof) used to prevent manual and automatic disassembly nearly impossible, since 

eavesdropping. the decryption should be designed to fail if tampering or 

Referring now to FIG. 1 there is illustrated the standard tracing is detected, 
scenario for "running" a given executable program 16, under 

the control of a computer operating system 17 on a computer 5 Aspect 3. Detecting Tampering 

18. In the preferred embodiment of the present invention, the M hereinbefore described, it is desirable to detect 

executable program 16 is subjected to modification, as will tampering, since this may lead to the reduction of software 

be described hereinafter, to ensure its integrity and improve security 

its security. There are five aspects of this inventions ™ . . . . , ... - . , . , . 

% ... t • j . . . t - „ in This can be achieved with the use of code which is 
improved process, although said provess is still substantially 1U . . , - ,. , • . L u u 
. , -r . ii r iL * m. / protected from disassembly and examination through ob rus- 
lm proved even if not all of them are present. Riese aspects r . , . ' . . ^ . i 
r /1 > n , ,~* r cation and encryption, which re-reads its own external- 
are: (1) Preventing eavesdropping (2) preventing disassem- . , •: * i 

bl and examination (3) detectin tam rin (41 reventin image and compares it with its known memory image or 

. . \ r e \ • *■ precalculated check-data to detect hot-patching (ie. the 

execution-tracmg ana W ensunng autnennc.iy. modification of software sometime after it has been loaded 

Preferred embodiments illustrates each of these aspects of from disk ^ but ( usuaUy ) before execution of the modified 

the present invention will now be described. scction has commenced). 

Aspect 1. Preventing Eavesdropping . Addtonally, the software can scan the memory image of 

itself one or more times, or continuously, to ensure that 
As hereinbefore described, it is desirable to prevent rogue 20 unexpected alterations do not occur, 
software from eavesdropping on ID-Date. By replacing Certain modifications to the external copy of software are 
software which is vulnerable to eavesdropping with equiva- reflected in subtle changes to the environment in which the 
lent software which is far more secure, this purpose is modified software will be executed (for example: the size of 
achieved. To remove the vulnerability from the secure t h e code, if altered, will be reflected in the initial code size 
equivalent software, replacement routines may communi- 25 value supplied to the executing program being incorrect.), 
cate directly with the hardware of the computer (for Additionally, certain modification to the operating system 
example, they may communicate with the keyboard circuitry and environment of said software can also be monitored (for 
instead of using the system -supplied (and hence possibly example: certain interrupt vector table pointers in Intel- 
insecure) application interface keyboard -entry function- processor applications) to detect unexpected changes by 
calls.) while disabling system interrupts which would permit 30 rogue software. These changes can also be detected to 
rogue software to eavesdrop. Said replacement routines are prevent tampering. 

coded to store ID-Data retrieved in a secure manner. ID-Data 0nce t ri > a det ected, program flow-of-control 

is not stored in full in plaintext (ie: unencrypted) in system ^ {Q ^ chaQgcd ^ ^ thc compromisc 

or application buffers. associated with ID-Data theft is avoided. This may be the 

a o r*_ r>- li j r- • 35 secur it y-en h a need pro gram terminating with a message indi - 

Aspect 2. Preventing Disassembly and Examination t . i_ i_ • i_ c « r 

r f ' eating that its integrity has been compromised before all of 

As hereinbefore described, it is desirable to hamper the ID Data is entered. Alternatively, the fact that tampering 
disassembly (or de-compilation or reverse engineering) to has been detected may be kept secret and the ID-Data 
protect software against eavesdropping and tampering, and retrieved, however, immediately upon retrieval, the ID-Data 
to hinder examination of said software which might lead to 40 entered can be invalidated thus preventing access to that 
secret security problems or mistakes being disclosed. which the now potentially compromised ID-Data would 
Obfuscating inserts can successfully prevent automatic nave otherwise allowed. This latter method allows for the 
disassembly. Obfuscation is achieved by following uncon- possibility of security -enhanced software informing remote 
ditional jump instructions (for example, Intel JMP or CLC/ <> r other authorities that tampering was detected and possibly 
JNC combination or CALL (without a return expected) or 45 other information, such as what specifically was altered and 
any flow-of-control altering instruction (which is known not b y wnorn ; Care must be taken to ensure the integrity of the 
to return to the usual place) with one or more dummy "remote-informing" code before ID-Data entry is permitted, 
op-code bytes which will cause subsequent op-codes to be ^ A n ^ . 
erroneously disassembled (for example, the Intel OxEA 5Q M ^ c{ 4 Preventing Execution -Tracing 
prefix will cause disassembly of the subsequent 4 op-codes Apart from "spoofing" (described in aspect 5 hereafter) 
to be incorrect, displaying them as the offset to the JMP i ne i ast re sort of a rogue who is prevented from disassembly, 
instruction indicated by the OxEA prefix instead of the tampering, and eavesdropping on software is to trace the 
instructions they actually represent). execution of said software in order to facilitate the compro- 
Dummy instructions may also be included to hamper 55 mise of its security. Hampering tracing (tracing, is some- 
disassembly by deliberately misleading a disassembler into times called debugging) prevents this, 
believing a particular flow of control will occur, when in fact There are numerous methods of detecting a debug- 
it will not. environment (ie: when tracing is taking place). When corn- 
Flow of control can be designed to occur based upon CPU bined with decryption and tamper-protection as hereinbefore 
flag values determined from instructions executed a long eo described, it makes the rogues task of detecting and bypass- 
time ago. Together with tracing preventing, this makes ing debug-detection extremely difiBcult. Reference and 
manual disassembly nearly impossible, examples to Intel and MS-DOS environments follow 
The majority of the executable portions of the software hereafter, although it will be apparent to one skilled in the art 
can be encrypted for external storage. The decryption taking that these and similar methods are applicable on other 
place in-memory after the software is loaded from external 65 platforms. 

sources, under the control of a decryption "header" which Standard Intel x86 interrupts 1 and 3 are used by debug- 

prevents its own tampering and disassembly etc. This makes gers to facilitate code tracing. By utilising these interrupts 
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(which are not normally used by normal applications) in 
security-enhanced software, it hampers debugging, since 
built-in debugging functions are now not automatically 
available. 

Monitoring the system timer to determine if software 
execution has spent too long accomplishing certain tasks can 
detect a situation where code tracing has been in effect and 
a breakpoint was reached. 

Disabling the keyboard will hamper debuggers, since 
tracing instructions are usually issued from the keyboard. 
Similarly, disabling other places from where tracing instruc- 
tions are usually issued (eg: serial ports, printer ports, and 
mouse) or displayed (eg: screen) will also hamper tracing. 

System interrupts can be re -vectored for use within the 
secure software to perform tasks not usually performed by 
those interrupts. Debuggers usually rely upon system inter- 
rupts also, so to do this would usually disable or destroy a 
debugger being used to trace the software. Disabling inter- 
rupts and performing timing-sensitive instructions between 
them will further hamper debugging. When tracing software, 
instructions are usually executed one-at-a-time in order for 
the user to understand their operation. Many system inter- 
rupts must occur regularly (eg: timer and memory re-fresh 
operations), so debuggers usually do not disable interrupts 
even when they encounter an interrupt-disabling instruction. 
If timers and the like are re-vectored in two separate stages, 
any timer (etc) interrupt occurring in between the two stages 
will fail, and usually crash the computer. Further, interrupts 
can be disabled or enabled using obscure means (with 
flag-altering instructions for example) to hamper tracing. 

Discretely testing the status of disabled or enabled system 
facilities (eg. interrupts, keyboard, vector-pointers) to ensure 
that a debug environment has not altered or by-passed them 
will seriously hamper tracing also. 

Certain computer processors have instruction caches. In 
some circumstances, it is possible to alter the instructions 
immediately before the CPU encounters them, but the 
altered instruction will not be executed normally because the 
cache copy has the "old** one still. In debug environments, 
the cache is usually flushed, so any altered instructions will 
actually be executed. This again hampers tracing. 

Using strong cryptographic schemes such as DES "(Data 
Encryption Standard)", or RSA "(RIVEST, SHAMIR, 
ADELMAN, Algorithm) " or the like will present the 
examination of any decryption routines from revealing a 
simple patch to disable said routines. When tracing software, 
the program stack is usually used by the debugger either 
during the tracing operations or at other times. This is easily 
detected, and by using the area of the stack which will be 
destroyed by unexpected stack-use for code or critical data, 
software can be designed to self-destruct in this situation. 

Scanning the command environment and the execution 
instruction can detect the execution of software by unusual 
means. Searching for "DEBUG" in the command line, or 
scanning memory for known debuggers for example will 
detect tracing. Additional, by detecting which operating 
system process initiated the load of the software, unexpected 
processes (eg: debuggers) can be detected. 

Monitoring system buffers (eg: the key board memory 
buffer) or hardware (eg: the keyboard circuitry and internal 
buffers) for unexpected use (eg: keyboard input and pro- 
cessing is occurring when the software is not requesting it) 
will also detect debuggers, which usually rely in part on 
system functions in order to operate. 

Building a process or multiple processes which are tra- 
ditionally difficult to trace, such as a resident or child process 
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which executes during system interrupts or after the parent 
process has terminated will again hamper tracing. 

Bypassing system routines (eg: in DOS, using direct 
memory writes instead of DOS system calls to revector 

5 interrupts) will further hamper debugging and rogue soft- 
ware monitoring, as will unravelling loop constructs (which 
will make tracing long and cumbersome). Code checksums 
and operating-system checks (eg: interrupt table pointers) 
can be designed to detect debug-breakpoint instruction 

io inserts or other modifications. Using the result of the check- 
sum for some obscure purpose (eg: decryption, or (much 
later) control- flow changes) will further hamper tracing. 

It will be apparent to one skilled in the art of low-level 
software programming that a combination of techniques to 

15 detect, prevent, and mislead tracing will provide a mecha- 
nism making tracing very difficult, if not impossible. At the 
very least, it will require an expert with very expensive tools 
and perhaps some understanding of the original software 
design a very long time to make any debugging progress — a 

20 situation which is recognised in military software security 
accrediation worldwide as highly desirable. 

Aspect 5 Ensuring Authenticity 

In accordance with an aspect of the present invention 
25 there is provided a method of providing for a secure entry of 
ID-Data in a computer system comprising activating a visual 
display or animation and/or audio feedback (hereinafter 
called an audio/visual component) as part of said secure 
entry of ID-Data so as to hamper emulation of said secure 
30 entry process. Preferably, the animation includes feedback 
portions as part of the ID-Data entry process. Preferably, the 
animation is repeatable and varied in accordance with the 
information entered. The animation preferably comprises 
2.5D or 3D animation and includes animation of any 
35 ID- Data input. 

Preferably, the animation is designed to tax the computer 
resources utilised and thereby making any forgery thereof 
more difficult. 

It will be apparent to one skilled in the art of low-level 

40 software programming that the five aspects described herein 
may be combined to provide substantially stronger security 
than any aspect taken on its own. For instance, to combine 
tamper-detection with encryption, the precalculated check- 
data as derived during tampcr-dctcction described hcrein- 

45 before may actually be one part of the decryption -key which 
is required to successfully decrypt the remaining executable 
software. If prevention-of-tracing and environment charac- 
teristics (including debugger detection as described 
hereafter) are additional portions of said decryption-key, it 

50 makes the determination of said decryption-key by any 
person or computer program other than the secure original 
an extremely difficult, if not impossible, task. 

Further, it will also be apparent to one skilled in the art of 
low-level software programming that a simple construct 

55 such as a JNE to alter program flow-of-control after tam- 
pering has been detected is insufficient, since the JNE 
construct itself is subject to tampering. The decryption 
process described hereinbefore is preferable since there is no 
single point of alternation that can possibly yield a tampered 

60 executable that would execute. Indeed, the executable pro- 
tected with encryption will not even be transformed into its 
intended form if tampering is detected. 

GENERAL DESCRIPTION OF PREFERRED 
65 EMBODIMENT^) 

Nol withstanding any other forms which may fall within 
the scope of the present invention, preferred forms of the 
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invention will now be described, by way of example only, Firstly, the executable portion of the secured ID-Data 

with references to the accompanying drawings. entry code can be protected against tracing, disassembly, 

In the preferred embodiment of the present invention the tampering viewing, reverse engineering keyboard entry 

user interface for the acquiring of ID-Data is secured theft, eavesdropping, hot patching and other attacks by 

whereby the duplication of the interface is rendered math- 5 transforming the secured ID-Data entry program code 31 

ematically complex such that cipher-code breaking tech- from its normal executable form 16 (FIG. 2) to a corre- 

niques are required to produce a counterfeit look-alike sponding secured form of executable (as hereinbefore 

interface. By making the authentication interface (ie: described— refer aspects 1 to 4). These techniques are 

ID-Data entry screen— for example: a logon screen or a preferably applied to the application code 16 in general or 

screen for entering credit card details) unable to be JQ less preferably specifically limited to the ID-Data entry 

emulated, tampered with, or reversed engineered, the apph- portions 24 thereof 

cation program allows for a higher degree of security and .,,..„, tn n , • 

authenticity even in insecure environments such as the Additionally, the secure ID-Data entry program code 31 is 

Internet or home software applications. Referring now to itself created. This code 31 preferably comprises a complex 

FIG. 2, there is illustrated a classic form of rogue attack on graphical user interface series of screens and animation 

a computer system. In this form of rogue attack, a rogue's 15 designed to make duplication by a rogue thereof extremely 

"spoof" program 22 is inserted between application software difficult. 

16 and the user 23. The application 16 normally has a Initially, the complex user interface should include facili- 

portion 24 devoted to ID-Data entry and verification or the tics to disable any frame buffer recording devices, the 

entry of commercially sensitive information (including pass- disablement occurring before each frame is displayed. Also, 

words etc) to the application in addition to the application 20 whefe a mu i t i-tasking operating system is in use, or where 

code 25. The spoof program 22 is designed to exactly reflect context switching ^ enablcdf switching out of the interface 

the presented user interface of ID-Data entry code 24 to the screen js ferabl disab]ed or ID . Data enlry procedures 

user. The user 23 is fooled into utilising the masquer- Qr terminated when the interfac Vscreen is 

ading spoof program 22 as if it was the application 16. ^ 

Hence the user can be tricked Unto ^^"S ^r- 25 ^ J ^ Jex 3D P animation 

mation to the spoof program 22. An example may include a , J . . . , , r _ \ . . t 

classic "login spoof 1 wherein the spoof program 22 prints sequences having a high degree of complexity and extensive 

the login prompt (ie: ID-Data entry) message on the screen use of screeD colours and resolution in addition to 

and the user mistakes the login prompt for a legitimate one, ™ ual desi g° so as 10 make thereof extremely 

supplying a user name and password to this program 22 30 dlfficult - 

which records this information as well as passing it on to the The complex computer graphics can be created utilising 

login code 24 of application 15 so as not to arouse the standard techniques. For information on how to create 

suspicion of user 23 — or by issuing a message, such as complex 3D imagery, reference is made to "Compare 

"incorrect password, please try again" and then passing Graphics, Principles and Practice" by Foley, Van Dam et al, 

control to the login code 24 of application 16. 35 published 1990 by Addison-Wesley Publishing Company or 

Referring now to FIG. 4, there is illustrated a relatively other standard textbooks on generation of computer graph- 
new form of rogue attack 40. This form of attach proceeds i<*. Reference is also made to the numerous internet news 
similarity to the spoof attack of FIG. 2, with the following groups and archives on graphics and games programming, 
difference. Instead of a spoof program 22, a rogue program specifically to: com. graphics. research, 
41 is inserted which secretly eavesdrops on ID-Data entry 40 com. graphics. rendering, comp. graphics. raytracing, 
code 24, or on application code 25, or on operating system comp .graphics, misc, comp.graphics.digest, comp.graphics 
17, or on hardware 18 or elsewhere in order to steal sensitive animation, comp. graphics. algorithms, comp.graphics, alt- 
information directly from the legitimate application. Since -graphics pistils, alt.graphics, rec.games.prograramer, 
the legitimate application is still actually executing, the comp.sys. programmer, comp.sys.ibm. programmer, 
users suspicion is not aroused, since rogue program 41 is 45 comp.sys.ibro.pc.programrner, comp.os.msdos.programmer, 
generally invisible to the user 23. Alternatively, executable comp.msdos.programmer, alt.msdos.programmer. Refer- 
program 16 may have been tampered with (as hereinbefore ence is also made to "PC Games Programmers Frequently 
described) to reduce its security, alleviating the necessity for Asked Questions" document available on the internet, via 
the presence of rogue program 41. rcc. games. programmer and elsewhere. 

In FIG. 5, there is illustrated in detail the structure of an 50 Bv encoding a complex 3D image which forms part of the 

application 50 constructed in accordance with the preferred ID-Data entry screens, the hurdle requirement of a rogue to 

embodiment running on computer hardware 18. FIG. 5 is reverse engineer the complex imagery is substantially 

similar to FIG. 4 with the important difference that user 23 increased. The inclusion of graphical animation is advanta- 

now communicates directly with secure drivers 51 which are geous in preventing static screen shot duplication attacks by 

part of the secure ID-Data entry program code 31 which is 55 a rogue form succeeding, 

utilised by the security-enhance (eg. tamper protected) As noted above, it is preferable that traditionally difficult 

application code 52. It can be seen that the user 23 no longer graphical programming techniques are employed wherever 

communicates with the operating system 17 or the unpro- possible, with the aim of making it more detectable for a user 

lected computer hardware 18, thus the rogue program 41 can interacting with the system to discern lesser copies of the 

no longer eavesdrop on ID-Data. 60 animation. Suitable 3D animation can include the introduc- 

In FIG. 3, there is illustrated, in more general terms than lion of shadows, the lighting of pseudo-3D animated objects, 

FIG. 5, the structure of an application 30 constructed in transparent or translucent objects, shing, reflective, or mir- 

accordance with the preferred embodiment wherein secure rored objects, gravitational effects in animated objects, 

ID-Data entry program code 31 is provided which is single-image-random-dot-stereogram bitmaps or backdrops, 

extremely difficult to replicate, eavesdrop upon or subvert. 65 translucent threads, effects such as diffraction patterns, 

The secured ID-Data entry program code 31 can be created, screen masks, backdrops, colour palette "animation", com- 

utilising a number of different techniques. plex animated objects resistant to simple hidden -surface 
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removal techniques known to those skilled in the art and appear on-screen when entered (eg; a password), since the 

directed to hindering duplication. display of a corresponding object would give a rogue 

Further, the animation can take into account: information on which to base guesses of the secret ID-Data. 

1. Thwarting attempts at compression of the ID-Data By utilising cryptography or having complex formulas to 
entry screens. This can be achieved by having animation 5 determine the sequencing of animation, the rogue program- 
which has low visual entropy and having many graphical ming the corresponding spoof program shall have to crack 
elements which are altered from frame to frame in a manner the cryptographic scheme in order to get the selection of 
which is highly discernible to the human viewer. Apart from character animation correct for any generalized attack. In the 
being difficult to replicate, complex 3D computer imagery abovementioned example, a rogue will have to determine 
having low entropy or redundancy will require larger 10 Ihe algorithm for producing the face, since human beings are 
amounts of storage space for a rogue attempt at duplication adept at recognising faces, and will immediately notice if the 
based on recording the screen output and therefore be more face displayed on the screen is incorrect. Such a technique 
readily discernible to the user should this form of attack be allows for a mathematically secure, visual method to guar- 
mounted antee the authenticity of the software which generates the 

2. The animation is further preferably designed to thwart 35 screen Redback. The user of the software is instructed to 
a successful replay attach which is based on providing only note i the j ir own parUcular animation sequence and to imme- 
a subset (limited number of frames) of the screen animation ^ discontmumg utilisation of the application 30 should 
to a viewer. This can be achieved, for example, by the that sequence ever change. The user may also be instructed 
inclusion of several animated spheres which "bounce" , n to contact a tmsted person such as the supplier or operator 
around the screen and change colours in a manner that is 20 ° u f lhe apphcation to confirm that the animation sequence 
recognisable to the viewing user but which is not readily they witness is the authentic sequence intended by said 
repeatable. A replay of only a subset of the screen anima- supplier 

tions to the viewer will be highly evident in this case when, Further, the particular animation presented for a particular 

upon looping the user is alerted to a problem when the application 30 can be further customised for each applica- 

animation "skips" or "jumps" and does not operate in a lion so as to be distinct (such as by the incorporation of the 

previously smooth manner. This makes it difficult for a applications name as part of the animated image), 

rogue spoof program to copy the animation without includ- Further hindrance for a rogue programmer can be created 

ing all parts of it. by hand coding portions of the animation in assembly 

3. Most importantly, the graphics presented can be cust- 30 language so as to generate the maximum possible complex- 
omised to the input data entered. For example, the informa- ity and interaction in the animation with the highest level of 
tion entered by a user can be rendered and/or animated by detail for individual workstation computers. This further 
the secure ID-Data entry program code 31 (FIG, 3). As an raises a hurdle allowing for the easier detection of rogue 
example, in an ID-Data entry program, when a user types in spoof programs 22 which will often be written in a more 
their user name, the animation can be created letter by letter. 35 convenient, higher level language (such as C or C++) which 
For example, when typing in the user name "CHRIS" each will also operate at a different speed, the user being 
letter could be rendered differently depending on those instructed to look for speed differences. 

characters previously typed. For example, the letter "I" Further, animated scene timing can be utilised, providing 
might appear as a large "barbers-pole" which spirals and anti-looping and frame removal detection is still catered for, 
changes colour, speed, size, and/or position and is slightly 40 The animated scene timing allows for a user to detect 
transparent, thereby allowing the animated seen which is a unexpected irregularities in a frequently presented animated 
backdrop to the character to be discerned through the interface. By including in the animation some deliberate 
character itself. For example, in the above example, the regularity (such as the rhythmic convergence of some parts 
letter "I" would only appear as the specific animated barbers of the animation in one particular spot), a rogue program- 
pole that is does if the previous letters entered were "C", 4S ming a spoof program shall also have to duplicate the 
"H", and "R" respectively. preferably complex timing events necessary to accomplish 
The utilisation of a unique sequence of animation based this convergence. The regular nature of the scene timing 
on a user's input of information sensitive data increases the should be high enough so that the user expects to see certain 
difficulty of creating any "spoof program" attack on the events and thereby making it difficult for a rogue spoof 
application 30. This is especially the case since the execut- 50 program to copy the animation without including all parts of 
able code of application 30 is preferably in an encrypted it- 

form. The use of animation being particular to the order in Preferably, where possible, all ID-Data is immediately 

which characters are entered is particularly advantageous as encrypted which makes recovery of the ID-Data by a rogue 

the computational complexity of replication is substantially through analysis of the computer program memory difficult, 

increased. 55 Preferably, public-key cryptographic methods (eg: Elliptic- 

A similarly effective animation technique is 'to produce curve, RSAor DIFF1E-HELLMAN cryptography) should be 

only one graphical object after entry of each portion of used making it impossible to reverse engineer the crypto- 

ID-Data, such as a computer-generated human's face, but graphic code to decrypt any sensitive information should it 

have the features of said face be determined by a hash or be stolen in its encrypted form. Prohibiting all or most 

cryptographic function based upon the users input. For 60 interrupts when data is to be entered and encrypting or 

example, after entry of the ID-Data "CHRIS" (in this hashing the sensitive information immediately so that it is 

example, the individual characters may not, themselves, be only stored partially, or in an encrypted form, before 

based on the abovementioned generation procedure), a teen- re-enabling interrupts is one example of achieving this 

age girl's face with long blonde hair and blue eyes may be objective. 

displayed. If the "S" was instead a "D", the face would be 65 As a further alternative, analysis of a user's personal 

entirely different. The ID-Data used for producing an object characteristics can be included as part of the interface. The 

for display should not be ID-Data which is designed not to can include attempts at recognition of a user's typing style 
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(duration of keypresses, delays between subsequent keys, computer operating system 17 (FIG. 1) for running of the 

choice of redundant keys, mouse usage characteristics, etc) executable 16. This can include relocation data, code size 

or by additional authentication techniques, including etc. The code section 72 is normally provided for storing the 

smartcards, biometric inputs such as finger prints detectors "algorithmic" portion of the code. The data section 73 

etc. 5 normally is utilised to store the data, such as constants, or 

Further, the graphical animation routines can be "water- overlays 92 utilised by the code section 72. 

marked" by the secure ID-Data entry program code in that Turning now to FIG. 6, the preferred embodiment of an 

"hidden" information may be incorporated into the scene applicator program 60 is shown which takes as its input the 

(for example "salted-checksums") to allow careful analysis executable program 16 and performs an obfuscating step 61, 

of the output of secure ID-Data entry program code 31 to 10 a ciphering step 62 and an anti-key press and authentication 

distinguish between original graphics animation and coun- step 63 (described hereafter) which perform various trans- 

terfeit animation. For example, the hidden information may formations on the executable program 16 to produce a new 

be encoded in the least-significant bit of pixel data at executable program 30. 

selected locations of the animation. The obfuscating step 61 modifies the header 71 (FIG. 7) 

The user determinable sequence of animation can also 15 of the executable 16 in addition to inserting loading code 

extend to the provided audio animation. For example, audio which will be described hereinafter. The cipher step 62 

and other feedback techniques including music and speaking encrypts the existing executable 16 and calculates check 

tones can be played in response to particular key stroke data (eg: a checksum) for the encrypted executable. The 

combinations. By utilising different voices and/or tones anti-key press and authentication step 63 replaces various 

and/or volumes and pitches for each keystroke or 20 insecure system calls with safe equivalent code and prefer- 

combination, the security of the application 30 can, once ably inserts code to graphically represent the integrity of 

again, by substantially increased. The change in voice into- said executable program. 

nation will be readily "learnt" by a user and thereby further The newly formed executable 30 (new.exe) can be then 

inhibit a rogue's ability to duplicate the same sequence of stored on disk and the applicator program 60 completed, the 

sounds or voices. Of course, the encoding of the voice 25 new executable 30 replacing the old executable program 16. 

system should be in an encrypted form. When it ^ desired to run the replacement executable 

Further, upon detecting any attempt to subvert the secure program 30, the replaced executable (new.exe) executes the 

ID-Data entry program code 31 (eg: subsequent to detecting obfuscating code, previously inserted by applicator 60. The 

tampering), a notification message is preferably sent to a ^ Q obfuscating code initially decrypts the executable program 

prosecuting body or the like where the application 30 is and validates the stored check-data before re-executing the 

currently, or later becomes connected to a network such as decrypted executable. 

the Internet, or by other means (eg: via Modem or by ^ c foregoing description of the preferred embodiment 

including coded information in public or other files). nas t^en in general terms and it will be understood by those 

For application programs 30 requiring activation by a host 35 skilled in the art that the invention has general application to 

program executed on a different computer, a secure means of many different operating systems, including MS (Microsoft) 

activation can be incorporated into the client application 30, DOS (Disk Operating System), APPLE MACINTOSH OS 

The host and client intercommunication can issue challenge (Operating System), OS/2 (OPERATING SYSTEM 2), 

and response code authentication and verification utilising UNIX, etc. 

cryptographic systems such as public-key encryption and/or 4Q The most common operating system utilised today is the 

other standard means of overcoming data replay attacks and MS-DOS (Microsoft Disk Operating System) operating sys- 

other threats designed to trick the secure client application tem. This operating system is designed to run on INTEL x86 

30 into activation. microprocessors and includes a large number of historical 

It would be appreciated by a person skilled in the art that "quirks" which give use to greater complexity than would 
the process of coding any data entry process utilising these 45 perhaps be otherwise required when designing a new oper- 
techniques, together with additional techniques to protect ating system from "search". For illustrative purposes, there 
against recording, and eavesdropping, and executable pro- will now be presented a specific embodiment of the pre- 
lection techniques may be necessary to improve the security ferred embodiment designed to operate under the MS-DOS 
of the interface. Additionally, executable encryption, addi- operating system. Unfortunately, the example is quite com- 
tional authentication, and other methods are desirable in 50 plex as it operates in the framework of the MS-DOS 
producing the protected executable. operating system. Therefore, it is assumed that the reader is 

familiar with systems programming under the MS-DOS 

SUMMARY OF THE APPLICATOR (of an operating system. For an extensive explanation of the inner 

Improved Process of Security as Hereinbefore workings of the MS-DOS operating system, reference is 

Described) 55 mac j e t0 standard texts in this field. For example, reference 

A preferred embodiment of Ihe present inventions' is made to "PC Intern" by Michael Tischer, published in 

method (hereinbefore described as the "applicator") by 1994 by Abacus, 5370 52nd Street, S.E. Grand Rapids, 

which to apply an improved process of security (as herein- Mich. 49512. A second useful text in this matter is "PC 

before described) will now be described with reference to Architecture and Assembly Language" by Barry Cauler, 

the accompanying drawings. 60 published 1993 by Carda Prints, 22 Regatta Drive, 

Referring now to FIG. 7, there is shown a standard formal Edgewater, Wash. 6027, Australia, 

utilised for storing executables on disk, often occurring in The specific embodiment of the present invention will be 

the art, and in particular in conjunction with programs run on described with reference to altering an "EXE" executable 

the above mentioned operating systems. The standard program under DOS in accordance with the principles of the 

executable 16 normally comprises a header section 71, a 65 present invention. 

code section 72, and a data section 73. The header section 72 Referring now to FIG. 9, there is shown the structure 90 

normally stores a standard set of information required by the of an executable "EXE" program in MOS-DOS as normally 
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stored on disk. This structure is closely related to the address 109 of execution stored in header 101 is altered to 

structure 16 of FIG. 7 which illustrates the more general be the start of netsafe 1 portion 104. 

case. The structure 90 includes a header 71, otherwise (8) As mentioned before, code portions 103, 106 and 105 

^T n ^J^ D0S ,ermin , ol °8y » Prog,™ .*gmem are object to encryption or encipherment in accordance 

prefix (KP). This is normally followed by a relocation table 5 stcp 62 of FIG. 6. The encryption scheme utilised can 

91 which contains a hsl of pointers to vanables within a code bfi subjectcd subslamial variali ^ ,„ tnisembodimem) the 

area 72 which must be updated with an offset address when ncc \ , , . , , , 

the program is loaded into a particular area of memory. The D f stand ^ e «*«™ was utilised. This scheme 

operation of the relocation table is well known to those relies on a fifty -six bit key fore ncrypUon and decryption and 

skilled in the art of systems programming. The next portion B wcU known in tbe art * 

of structure 90 is the code area 72 which contains the Once encrypted, it is necessary to store the decryption key 

machine instructions for operation on the x86 microp races- in new exe executable 30. A number of different methods 

sor. This is followed by a program data area 73 which can be utilised to store the key. The preferred method is to 

contains the data for code area 72. Finally, there may exist spread portions of the key to different positions within the 

a number of overlays 92 which contain code which can be executable 30. For example, bits of the key can be stored 

utilised in a known manner. 15 within the netsafe 1 code 104 and netsafe 2 code 107. 

Referring now to FIG. 8, there is shown the structure of Additionally, bits of the key can be stored within header 

EXE file header 71 in more detail. The table of FIG. 8 being portion 101. Also, it is envisaged that bits of the key can be 

reproduced from page 750 of the above mentioned TIscher stored in tbe condition codes which are a consequence of 

reference. It should be noted that the header 71 includes a execution of various instructions within netsafe 1 area 104 

number of fields including, for example, a pointer 81 to the 20 and nctsafc 2 arca 107 and/or the operating system 17 (FIG. 

start of the code 72 (FIG. 7) and a pointer 82 to the relocation ^ thc ovcrall requirement being that the key can be 

table 91 (FIG. 9). l ater ex t r acted using a predetermined algorithm. 

In the specific embodiment the applicator program 60 (9) The next step is to patch the address of the start of code 

(FIG. 6) proceeds by means of the following steps: area n and netgafe 2 code area 10? imo tfae requifed 

(1) The executable program 16 is opened for reading and « locations within netsafe 1 area 104. 

a determination made of its size ^ Qetsafe l ^ fa tfaen {o ^ ffle C0Qtaini 

(2) The header 71 (FIG. 9) of executable program 16 is flew exe executable 30 

then read in and a copy is stored within applicator program . . 

Cfl A _ , . r f , 1 . ^„fT , m *\ J f 1ft1 (10) The area 106 is then encrypted as aforementioned 

60. A copy of the header 71 is written out to form part 101 \ ... . , , ™ r JL i _i 

of the new.exe file 30 as illustrated in FIG. 10. 30 and wnt * n to th f e e ™ ble 30 fo ^ wed b V overla y s 92 and 

(3) Next, from the fields 81, 82 of the header 71 (FIG. 8) CDCI ^ ted netSafe 2 ^ P 0rtl0n 107 ' 

a determination is made of the size of relocation table 91 of < n ) ^ wm become apparent hereinafter, upon execution 

executable program 16. ofnew.exe executable 30, netsafe 2, area 107 is responsible 

*a\ at , j . .• j f -i f) , t for loading code portion 105 over the top of netsafe 1 area 

(4) Next, determination is made of the size of the execut- _ c tn . _ * ,K • . , 

u \ a ^ a . ^ ■ ~ ni 35 104. Therefore, it is necessary to write the relevant addresses 

able code 72 and data portions 73. . . _. j * j • ._ • j 

,„ ^ f [, . , . . . of the start and end of code portion 94 to the required 

(5) The relocation table 91 is then read into the memory nofCQ f 0 o Q „„ in-r 
_ v / ^ * . . • i iL position within netsate 2 area 1U7. 

of the applicator program 60. As noted previously, the ^ A . n . , . . ■ f c ^ 

relocation table 91 consists of a series of the pointers to ( 12 > ^ Wl11 bc described hereinafter, netsafe 2 area 107 

positions within code segment 72 which are required to be 40 * also ^sponsible for decrypting the encrypted portions of 

updated when loading the program exe file into memory for codes 103 > l04 > 105 ' 106 '. and 107 and hence lbe netsafe 2 

execution. The relocation table is sorted 93 by address area 107 must also store this combined code size for later use 

before being written out to the new.exe executable file at 00 decryption. 

position 102. Finally, a overall checksum for new.exe 30 is calculated 

(6) As noted previously, the relocation table 91 consists of 4S and storcd at thc cnd of tbc filc at position 108. This 
a series of pointers into code area 72. A determination is checksum is later used to verify the decryption procedures' 
made of the size of a code, known as the "netsafe 1" code success and to prevent the execution of "scrambled" code, 
104, the contents of this code will be described hereinafter, whicb would be the result if newexe 30 werc tampered with. 
Next, a search is conducted of the sorted relocation table 102 As will be further described hereinafter, netsafe code 
to find an area between two consecutive pointers within code 50 areas 104 and 107 contain code to decrypt the encrypted 
section 72 which is of greater magnitude than the size of areas of the new.exe 30, to repatch code portion 105 back to 
netsafe 1 code 104. This area 94, designated part B in FIG. its original position, and to replace potentially insecure 
9 is located. If this code portioned 94 cannot be located the routines or easily spoofed screens normally utilised by the 
applicator program 60 exists with an error condition. application (eg: unsafe keyboard drivers) with an alternative 

Upon finding code portion 94, the code portion 95, also 55 sa ^ c ^ orrn °^ routme ' 

denoted part A is encrypted and copied across to form new Upon execution of the new.exe executable 30, the execut- 

code portion 103. Code portion 94 is then encrypted and able starts at the start of netsafe 1, area 104 (FIG. 11), as thus 

copied to an area 105 of new.exe 30. The netsafe L code 104 address has been previously patched into position 109 (FIG. 

is then inserted by applicator 60. Code portion 96, also L0) of header 101 (FIG. 10). The netsafe 1 area 104 then 

denoted part C is encrypted and copied across to form code 60 performs the following steps (Al) to (A10). 

portion 106. Data portion 73 and overlay portion 92 are (Al) The first step is to disable all the interrupts apart 

copied into new.exe 30 as shown. A second portion of from those necessary for continued operation of the com- 

obfuscating code, denoted "netsafe 2" 107, the contents of puter device 18 (FIG. 1) (for example, memory refresh 

which will be described hereinafter, is then inserted after cannot be disabled). The disabling of interrupts includes the 

overlays 92 and before code portion part B 105. 65 disabling of the keyboard interrupt in order to stop amateur 

(7) The header 101 is then updated to reflect the altered "code snoopers" from determining the operation of the code 
layout of new.exe executable 30. Additionally, the initial area 104. 
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(A2) The next step is to interrogate the calling environ- read past the end of file of the disk copy of new.exe 30 (FIG. 

me nt of the operating system slack to ensure that the 10) to ensure that no extension (eg: viral) has occurred, 

program new.exe was not called by a debugging program (B4) The encrypted portions of the memory copy (FIG. 

which is tracing the operation of new.exe. Additionally, the 11) of new.exe are then decrypted utilising the key and once 

data variables necessary for operation of netsafe 1 code area 5 decrypted, the decrypted portions are again checked and 

104 are defined to be on the operating system stack (Refer tested against predetermined data. 

Address OEH and 10H in FIG. 8). This stack will change The next step in execution of the netsafe 2 code 113, is to 

unexpectedly when in a code snooping or debugging envi- replace insecure (eg: keyboard) system routines with a more 

ronment and will cause the debugger to crash, thereby secure method. Referring now to FIG. 12, there is shown the 

stopping a it from following the operation of new.exe to current state of the new.exe executable in memory. The 

executable 30. insertion of the more secure system routines then proceeds 

/* *\ tl , * » .J tU u -j • m accordance with the following steps (Cl) to (C5): 

(A4) The interrupt trap addresses are then altered in a two . , „ . . \ 

t v ~™ r * * . * c * * r *u (Cl) Firstly, a second memory allocation is done to set 

S?n P £*^ ™% firSt t Sta * e reSCtS * * fSt Paf ° f ,i he aside an area 51 (FIG. 13) for the storing of the secure 

SEG-OFF address format and occurs at this point with a hardwafe routines \ keyDOard) . ™ ese r * utines are then 

second stage occurring at a later time as well be further 15 ^ ^ ^ ^ % ^ ^ {q ^ 

described herein below. By staging the alteration of interrupt memory area 51 

trap addresses, any code snooper will be farther confused as (C2) ^ ^ , D DaU emry rommes which afe nonnaUy 

said trap addresses will initially be garbage. activated by the interrupt table 131 when dealing with 

(A5) Any input from the keyboard is further disabled by ID-Data input are altered such that, rather than pointing to 

informing the MS-DOS operating system to ignore any 20 corresponding areas of the MS DOS operating system 17, 

received keys, they point to the corresponding secure area 51. These 

(A6) The second stage of the revectoring of the normal interrupts include interrupt 9 which occurs when a key is 

debugging interrupts is then applied so that the normal P ressed <> n » keyboard, interrupt 29h which read a key and 

debugging interrupts can be used by the decryption code, to „ int / erru P t 16h which tests for ±c P resencc of a ke ^ 

be described hereinafter, thereby making debugging almost 25 ( C3 > ^ executable 30 (FIG. 13) is then ready for 

impossible execution and the registers are initialised, the memory area 

, ^ 113 deallocated & control passes to the original start address 

(A7) A check is then made to ensure that the above of executable program 16. 

processes have been successful in that the debugger inter- (C4) , t wiu be evidem> thal when execulingj all keybo ard 

rupts do not point to any debuggers, the keyboard is still 3 o calls (or other ID-Data entry calls, if other than keyboard) 

disabled and the operating system has disabled the accep- w jn be paS sed to keyboard (or other) routines 51 with the 

tance of keys from the keyboard. keyboard hardware being interrogated directly by keyboard 

(A8) The key for decryption is then reconstructed utilising routines 51 to return information to the calling program, 

the reverse process to that utilised in storing the information Keyboard routines 51 include a copy of the correct interrupt 

located in the key 35 vector addresses for each keyboard routine and each time 

(A9) Turning now to FIG. 11, there is shown the standard ,he y "lied a check is made of the interrupt table to 

format of the executable new.exe 30 when executing in ensure " has not a'fed. Preferably, keyboard 

memory. As will be well known to those skilled in the art, rou , ines 51 P«**» keyboard hardware by .ssu.ng con- 

_ . \ac r\r\c P „ct am «,;n troller reset or similar commands to flush the keyboard data 

an executing program under the MS-DOS system will . ... .... 

■ „ „«Jli, hi „„a „r^u ™« 11^ a «n™ 40 out of the circuitry after said data is retrieved to prevent 
include a stack 111 and work space 112. A memory alloca- ** u J . • « .-r iL . . j 
tion (Malloc) call is then done to set aside an area 113 for the hard ™ rc eavesdroppmg or routines 51 utilise the protected 
loading in of the netsafe 2 code 107 of FIG. 10. The disk mechanisms of the central processor to protect said hard- 
copy of new.exe 30 (having the format shown in FIG. 10) is ware frorn eavesdropping 

then opened by the netsafe 1 code 115 and an encrypted copy ( C5 ) m " cn thc executable 30 terminates, interrupt 21/! (an 

of netsafe 2 code 107 (FIG. 10) is then loaded in from the « MS-DOS standard) is called. Tins interrupt is also revec- 

disk file, decrypted and stored in memory area 113. The tored to a corresponding area of routines 51. T^e termination 

relocatable pointers of the code contained within the netsafe code of keyboard routine area 51 restores the correct inter- 

2 code 113 are then updated to reflect the position of the ™P l P ointcre m interrupt table 131 to point to the MS-DOS 

executable in memory. operating system 17, and clears the no-longer-needed pro- 

/A^m^ - . i , ? - .n, 50 gram and data from memory before returning to the DOS 

(A10) Control is then passed to netsafe 2 code 113. * system fey cMng \ hQ rea l interrupt 21. 

The code area netsafe 2, 113 then performs the following ^ foregoing describes only Qn embodimcnt of 

steps (Bl) to (B4): (hc prcscnt invention particularly to the operation of the 

(Bl) The portion of code of the disk copy denoted part B, MS-DOS operations system. It will be evident to those 

105 (FIG. 10) is read in from disk in an encrypted format and 55 skilled in the art) thal me principles outlined in the particular 
written over the old netsafe 1 code 115. embodiment can be equally applied to other operating 

(B2) As will be further described hereinafter, the netsafe systems in accordance with the objects of the present 

2 area 113 includes a number of keyboard routines which are invention. Further, combinations, variations and/or 

preferably stored in an encrypted format. Therefore, the next modifications, obvious to those skilled in the art, can be 

step is to apply the decryption to any of the encrypted areas go made to the present invention. All such combinations, varia- 

of netsafe 2 code area 113. After decryption, the netsafe 2 lions and/or modifications should be considered to fall 

area 113 is checksum med and the result is tested against a within the scope of the invention as broadly hereinbefore 

prestored checksum to ensure the integrity of netsafe 2 area described and as hereinafter claimed. 

113. I claim: 

(B3) The disk copy of the new.exe is then again read in 65 1. A computer system having software having input 

and checked against prestored check data to ensure that it routines with enhanced security features for entry of 

has not been changed. Additionally, an attempt is made to ID-Data comprising: 
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a processor; and 

a memory, wherein said software stored in said memory 
when executed by said processor comprises: 
anli- spy techniques within said input routines which 

prevent or hamper eavesdropping; 5 
detect tampering of said software which, upon detec- 
tion of tampering, either disallow the subsequent 
entry of ID-Data into said input routines, or which 
invalidate said ID-Data in order to disallow current 
and subsequent access to that which said ID-Data 1Q 
would have otherwise allowed; and 
further comprising at least one of the following code 
contained in said software: 

code to automatically scan memory of said software 
one or more times before or during execution of 
said software to detect tampering; 15 

code to store or communicate details of detected 
tampering for later examination, said details 
including all or part of said tampered software, or 
other information available to said tampered soft- 
ware from said computer system; and 20 

code to prevent, or detect and subsequently prevent 
tracing, or misleading code debuggers and the 
execution of tracing by utilizing debugger trap 
facilities for the normal operation of said security- 
enhanced software, or monitoring system timers 25 
or timing-sensitive instructions or monitoring 
CPU stack contents or monitoring system buffers 
to detect the activity of code debuggers, or dis- 
abling facilities such as, the keyboard, serial ports, 
printer ports, mouse, screen or system interrupts in 3Q 
order to hamper code debuggers, or testing that the 
disabled status is still true of said facilities to 
detect code debuggers, or utilizing system inter- 
rupts which would ordinarily be used by code 
debuggers for the custom purposes of said 
security-enhanced software, or utilizing CPU 
instruction caches together with self-modifying 
code to mislead code debuggers, or scanning or 
interrogating the operating system or executable - 
load-process to detect code debugger instructions 
or environments, characterized in that the program 
optionally includes a process or multiple pro- 
cesses which are resident or child processes of 
said security-enhanced software which execute 
during system interrupts of after the parent process 
has terminated in order to hamper tracing. 

2. A method of altering an original executable program to 
form an altered executable program having increased 
security, said method comprising the steps of: 

(a) inserting obfuscating code into a first number of ^ 
predetermined areas of said executable program; and, 

(b) encrypting portions of said executable program for 
later decryption upon execution; such that, upon execu- 
tion of said altered executable program, said execution 
includes the steps of; 

(c) decrypting the altered executable program; and 

(d) restoring said altered executable program to said 
original executable program. 

3. A method as claimed in claim 2 further comprising one 

or more of the following: 60 
said obfuscating code include replacement codes for 
insecure system routines and said method further 
includes the step of (e) replacing the execution of said 
insecure system routines with said replacement codes; 
said steps (c) and (d) occur while simultaneously sub- 55 
stantially disabling eavesdropping on the operation of 
said steps (c) and (d) by any rogue program; 
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said step (a) includes inserting a portion of said obfus- 
cating code into the code area of said original execut- 
able program; and, 

said step (e) includes altering portions of an interrupt 
vector table to point to said replacement codes; 

said step (b) includes the storing of a decryption key in a 
plurality of predetermined areas of said altered execut- 
able program, said predetermined areas include the 
condition codes of predetermined instructions of said 
altered executable program. 

4. A method of providing for a secure entry of ID data or 
input information in a computer system comprising: 

a. activating a visual display or animation or audio 
feedback (hereinafter called an audiovisual component) 
as part of said secure entry of said ID data or said input 
information so as to substantially hamper cumulation of 
a secure entry process; and 

b. audio/visual component feedback comprising at least 
two of: 

i) at least part of said input information; 

ii) at least part of information based upon some trans- 
formation of at least part of the software comprising 
said audio or visual component or the computer 
operating system upon which said audio or visual 
component operates. 

5. A method as claimed in claim 4 wherein 

said audiovisual component has repeatable characteristics 
during subsequent invocations of said entry process, 
such that said audiovisual component on each invoca- 
tion of said entry process has a predetermined resem- 
blance to the audiovisual component of all other invo- 
cations of said entry process, or, 

said audiovisual component is varied in accordance with 
the information entered. 

6. A method as claimed in claim 4 wherein said audiovi- 
sual component comprises moving parts and/or includes 
2,5-dimensional animation or 3-dimensional animation, and/ 
or, said audiovisual component includes a representation of 
said input information, preferably comprising (a) display of 
a single graphical object, and/or (b) production of a single 
audio-feedback sequence, after the entry of all or part of said 
input information. 

7. A method as claimed in claim 6 wherein said input 
information representation includes animation of input char- 
acters and/or audible or other feedback determined by input 
characters, wherein the representation of said input charac- 
ters may optionally vary for each character based on the 
result of a predetermined transformation of the preceding 
inputted characters, wherein said transformation utilises 
cryptographic or hashing methods. 

8. A method as claimed in claim 6 wherein: the ease by 
which faithful replication of said audiovisual component is 
substantially reduced by inclusion in said audiovisual com- 
ponent the techniques of on screen shadow rendering and/or 
spot or flood scene fighting effects and/or scene or object 
shading and/or transparent or translucent objects and/or 
shiny, reflective, or mirrored objects and/or real-time ani- 
mation roughly obeying real world gravitational effects 
and/or single-image-random-dot stereogram bitmaps or 
backdrops and/or partial scene masking effects and/or full or 
partial scene distortion or diffraction effects and/or animated 
objects designed to resist simple hidden-surface removal 
techniques and/or animated bitmaps and/or audible echo 
effects and/or differing audio voice effects and/or differing 
audio volume and/or differing audio tones or pitches; 
wherein, said audiovisual component is optionally immedi- 
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ately recognisable to human beings and includes information 
which identifies to the user the application to which said 
audiovisual component belongs; wherein, the ease by which 
faithful replication of said audiovisual component may 
optionally be further reduced by inclusion in said audiovi- 5 
sual components animation object movement timing such 
that at near regular and frequent intervals regularities occur 
which are obviously recognisable to users of said entry 
process; and preferably, wherein, said entry process includ- 
ing said audiovisual component utilises a substantial portion 1Q 
of the computational resources of said computer system; 
and, wherein, said entry process code responsible for said 
audiovisual component is coded in the assembly language of 
the computer system preferably wherein recording said 
audiovisual component by said computer system is disabled. 

9. A method as claimed in claim 4 wherein (a) the facility 15 
to suspend or swap-out said entry process is either disabled, 
or, (b) immediately upon suspension request, said entry 
process is protected against subsequent examination by 
encryption or by termination and removal from memory or 
said entry process, or, (c) where the facility to allow the 20 
central processor or processors of said computer system to 
execute code other than the code of, or the code necessary 
for said entry process is either disabled or else said entry 
process is protected against examination. 

10. A method as claimed in claim 4 wherein: said entry 25 
process hampers simple recording by utilising the maximum 
practicable use of audiovisual frame rate, and/or audiovisual 
resolution, and/or screen colours; and/or, audiovisual design 

in said audiovisual component on said computer system, 
and/or said entry process hampers the compression of 30 
recorded output from said audiovisual component by utilis- 
ing high audiovisual entropy and/or by the inclusion of 
random or other noise in said audiovisual component; 
wherein, said audiovisual component preferably includes 
continuous output such that the looping of only a subset of 35 
said output shall not reproduce a copy largely indistinguish- 
able to said audiovisual component. 

11. A method as claimed in claim 4 wherein said ID -Data 
or said input information is encrypted by a cryptographic 
process or hashed immediately upon entry and a plain text 40 
equivalent is not stored by said computer system; and/or, 
wherein disablement of one or more interrupt instructions 
(or equivalent CPU devices) is utilised to protect said 
cryptographic or said hash process of said ID-Data to 
hamper the recovery of said ID -Data by processes other than 45 
said entry process. 

12. A method as claimed in claim 4 wherein said input 
routines or said secure entry process prevents the 
re-vectoring of system interrupts in order to protect said 
ID-Data or said input information form being stolen, by 50 
means of re-applying interrupt vector pointers one or more 
times and/or by means of examining interrupt assignments 

in order to perform a predetermine d function should the 
expected assignments be altered. 

13. A method as claimed in claim 4 wherein in order to 55 
further authenticate and/or identify said user, additional 
aspects of said ID-Data or said input information are used 
including the duration of individual key presses and/or 
mouse button presses and/or the delay between subsequent 
individual key presses or mouse button presses and/or the 60 
user's selection of particular keys when more than one 
equivalent exists and/or the acceleration or velocity charac- 
teristics of mouse usage and/or where said input information 
includes information from other sources including biometric 
and/or smartcard information. 65 

14. A method as claimed in claim 4 wherein said input 
routines or said secure entry process authenticates itself 



22 

using (a) executable code checksums of RAM or other 
images of its own executable code and/or data, (b) and/or 
comparison of memory with other stored copies of said 
executable code, (c) and/or decryption of said entry process 
(d) and/or detection of executable tampering by examination 
of the executable 's environment (e) and/or comparison of 
executable size with expected values (f) and/or by attempt- 
ing to read past the end of the executable file to determine 
that the size is correct; parts (a) through (f) occurring either 
upon initial load or during or after execution one or more 
times or continually during execution. 

15. A method as claimed in claim 4 wherein said input 
routines or said secure entry process: 

makes use of system interrupts to monitor itself in order 
to detect alternation of itself; 

incorporates means by which to notify and/or transmit 
authentication failure details to a third person or pro- 
cess should said self authentication fail, records a log of 
the usage and/or details of the user of said input 
routines or said secure entry process; 

incorporates warning s within the executable image indi- 
cating that examination and/or tampering is prohibited; 

stores loading and/or decryption routines are stored within 
the executable image in such a way as they initially 
replace other entry process routines and upon success- 
ful decryption and/or authentication, said other entry 
process routines are replaced; 

hampers executable-code tracing through control- flow 
changes in debug environments or through disabling 
one or more system interrupts and/or disabling the 
keyboard and/or disabling the mouse or other input 
devices and/or making use of the program stack pointer 
to discern existence of a debug environment and/or 
utilising debug interrupts for program code operation 
and/or self-modification of executable code and/or 
examination of CPU flag registers and/or verification of 
disabled interrupts still -disabled state and/or verifica- 
tion of disabled keyboards still-disabled state and/or 
loading additional executable code into memory during 
execution; 

includes obfuscating assembly language dummy opera- 
tion codes or instruction prefixes inserted after one or 
more unconditional branches to hamper executable 
disassembly and/or decompilation and/or reverse engi- 
neering; 

becomes securely activated by its activation process and/ 
or a host or server computer using a challenge/response 
activation protocol or using public or private key 
cryptographic methods; and/or 

becomes stored outside of said computer system memory 
in encrypted form and/or where said entry process 
employs techniques to hinder executable-code tracing 
and/or executable-code disassembly or disclosure or 
decompilation and/or executable-code tampering and/ 
or executable-code hot-patching and/or reverse- 
engineering and/or pre, in, or post-execution 
executable-code recording, copying, eavesdropping or 
retrieval and/or theft of said input information from 
keyboard hardware or software or drivers. 

16. A method as claimed in claim 4 wherein said audio- 
visual component contains watermark information incorpo- 
rated into the scene to allow close inspection of said audio- 
visual component to distinguish between the genuine 
process and a close replica. 

17. A computer program product for requiring the entry of 
ID-data for access thereto, said program characterized by 
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having an enhanced security structure or features to prevent using an obfuscating process to hamper or prevent eaves- 
ID -data eavesdropping or theft or to ensure authenticity, dropping; 



detecting tampering; and 



having: 

a computer readable storage medium for holding codes; 

and 5 if tampering is detected, selecting an action of either 

further comprising one or more of the following: disallowing subsequent entry of the user identification 

code for preventing ID-data eavesdropping, by commu- data into input routines or invalidating the user identi- 

nicating directly with input hardware of a computer; fication data in order to disallow current and subse- 

code for preventing disassembly thereof, said code for quent access to the user identification data. 

preventing disassembly comprising obfuscating inserts, 19. jh e method of claim 18, wherein program code that 

dummy instructions or executable encryption; ^ vulnerable to eavesdropping is replaced with equivalent 

code for preventing tampering therewith, said code to program code wherein said vulnerability is removed, and 

prevent tampering comprising: wherein said equivalent program code communicates 
code for reading its own image including external or 15 difCClly with lhe hardware of the computer while disabling 
internal memory images or calculating check data ^ wQuld softwarc tQ eavesd 

associated therewith; and 

code for comparing said read image or calculated 20. The method of claim 18, further comprising using 

check-data with an authentic image or check-data to encrypting or inserting dummy instructions in said user 
prevent execution-tracing, and code for disabling 20 identification data to hamper or prevent eavesdropping, 
interrupts or for performing timing -sensitive instruc- 2 1. The method of claim 18, wherein detecting tampering 

tions between interrupts; or, includes code that re-reads the code's own external-image or 

code for ensuring authenticity, by providing an audio or ^ [n{ ^ m . and fes a calcu . 

video feedback to an output device to be viewed or , . j . , F -a ■ Tu 1 1 , a u 1 

, . . . lated checksum of said image with a pre-calculated check- 

heard by an operator. 25 

18. A method for enhancing the security of access to user sum - 

identification data by software on a computer system com- 

prising: . ♦ . ♦ • 
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